Comparison of cube attacks over different vectorspaces

Richard Winter1, Ana Salagean1, and Raphael C.-W. Phan2

1 Department of Computer Science, Loughborough University, Loughborough, UK{R.Winter, A.M.Salagean}@lboro.ac.uk

2 Faculty of Engineering, Multimedia University, Malaysiaraphael@mmu.edu.my

Abstract. We generalise the cube attack of Dinur and Shamir (and thesimilar AIDA attack of Vielhaber) to a more general higher order differ-entiation attack, by summing over an arbitrary subspace of the space ofinitialisation vectors. The Moebius transform can be used for efficientlyexamining all the subspaces of a big space, similar to the method usedby Fouque and Vannet for the usual cube attack.Secondly we propose replacing the Generalised Linearity Test proposedby Dinur and Shamir with a test based on higher order differentiation/Moebius transform. We show that the proposed test provides all theinformation provided by the Generalised Linearity Test, at the samecomputational cost. In addition, for functions that do not pass the lin-earity test it also provides, at no extra cost, an estimate of the degree ofthe function. This is useful for guiding the heuristics for the cube/AIDAattacks.Finally we implement our ideas and test them on the stream cipherTrivium.

Keywords: Cube/AIDA attack, Trivium, Linearity testing, Moebiustransform, higher order differentiation

1 Introduction

The cube attack introduced by Dinur and Shamir [3] and the similar AIDAattack introduced by Vielhaber [11] have received much attention over the lastfew years. They can be viewed as higher order differential attacks (see [5] and [9]).The idea of higher order differentials was introduced in cryptography by Lai [10]and was used in many different attacks, most of them being statistical attacks,whereas the cube/AIDA attacks are primarily algebraic.

Several techniques were proposed in order to make the cube attack moreefficient. Of particular interest to the present work are the Moebius transformused by Fouque and Vannet [7] and the Generalised Linearity Test introducedby Dinur and Shamir [4].

We propose generalising the cube attack by using using higher order differen-tiation in its general form. In other words, rather than summing over a “cube”,

2

we sum over an arbitrary subspace of the space of public (tweakable) variables.The usual cube attack becomes then the particular case where the subspace isgenerated by vectors from the canonical basis. The Moebius transform can againbe used to make computations more efficient, by reusing values to compute thesummations over many subspaces at once.

Secondly we propose an alternative to the Generalised Linearity Test pro-posed by Dinur and Shamir [4]. Given a set of t linearly independent keys, ourlinearity test computes the higher order derivatives of order 2, 3, . . . , t with re-spect to any subset of keys and then checks whether all the results are zero. Ifa function fails this linearity test, the lowest order of a non-zero derivative givesa lower bound for the degree of the function, so we obtain extra information atno extra cost. We show that the set of functions that pass the General LinearityTest in [4] is exactly the same as the set of functions that pass our proposedtest. The extra information about the degree is useful for guiding the heuristicsin the cube attack, as it gives us information as to whether we are close or not toobtaining a linear function. Also, in some implementations of the cube attack,quadratic equations are used if insufficient linear equations are found.

We implemented our ideas and tested the implementation on the streamcipher Trivium [1], which is a popular candidate for testing cube attacks. Welooked at between 640 and 703 initialisation rounds. We tested several spacesof initialisation vectors of dimension 28 (including the space corresponding to ausual cube attack), and all their subspaces, using the Moebius transform. Weestimated the degrees of the results using our proposed linearity test.

We found one particular vector space which, compared to the usual cubeattack, produces significantly more linear equations, but at a slightly higher di-mension of subspaces. However for most vector spaces the results are significantlyworse than the usual cube attack, which leads us to believe that the success ofthe usual cube attack on Trivium is not only due to the relatively low degree ofthe polynomial, but also to the fact that the monomials of that polynomial arenot uniformly distributed, as would be expected if it was a random polynomial.In other words, the polynomials in Trivium are “aligned” with the canonical ba-sis rather than being in a generic position. We suggest therefore that precedingTrivium by a (secret) linear change of coordinates on the initialisation vectorswould improve its resistance to cube attacks. We did some preliminary exper-imental testing of this idea, but a full exploration would be a topic of futurework.

2 Preliminaries

2.1 Cube Attack

The Cube attack was originally proposed by Dinur and Shamir in [3] and isclosely related to the AIDA attack introduced by Vielhaber in [11].

Let f : Fn2 → F2 be a Boolean function in variables x1 . . . xn. Any Boolean

function can be written in Algebraic Normal Form, i.e. as a polynomial func-tion of degree at most one in each variable. Choosing a subset of indices I =

3

{i1 . . . ik} ⊆ {1, 2, . . . , n}, the “cube” CI is defined by choosing the 2k possible0/1 combinations for the variables with indices in I, with the other variables leftundetermined. Summing over all vectors in CI we obtain a function

fI =∑v∈CI

f(v).

which depends only on the variables which are not in I.Factoring out the term tI = xi1 · · ·xik , we can write f as

f(x1, . . . , xn) = tIfS(I) + r(x1, . . . , xn).

where fS(I) is a polynomial that shares no common variables with tI , whereas ris a polynomial in which each term misses at least one variable in tI . The mainresults on which the cube attack is based are:

Theorem 1. ([3, Theorem 1]) For any polynomial f and subset of variables I,fI ≡ fS(I) (mod 2).

Corollary 1. If deg(f) = d and I contains d − 1 elements, then fI has degreeat most one.

When mounting an actual attack, we have two types of variables, the secretvariables x1, . . . , xn and the public, or “tweakable” variables v1, . . . , vm, whichthe attacker can control. The cipher consists of a “black box” function g : Fn

2 ×Fm2 → F2. The attacker chooses a set I of indices of the public variables, sets the

other public variables to constant values (usually zero) and computes gI , whichwill now only depend on the secret variables. In the preprocessing phase, theattacker studies the cipher, so they can evaluate gI for any chosen values of thesecret variables. It is hoped that, for suitable choices of I (particularly the onesof cardinality approaching deg(g) − 1, assuming deg(g) ≤ m), gI is linear (butnot constant) in the secret variables. Linearity tests are discussed in the nextsection.

If the preprocessing phase found a large number of sets I for which gI islinear and non-constant (ideally n linearly independent gI), one can then usethis information in the online phase. Now the secret variables are unknown, butthe attacker can still control the public variables. The attacker computes gI forthe values of I identified in the preprocessing phase, and then they can determinethe secret variables by solving a system of linear equations.

2.2 Generalised Linearity Test

Consider a function f : Fn2 → F2. We want to decide whether f is an affine

function, i.e. it is a polynomial of degree one or less. We assume n is large andevaluations of f are costly, so we cannot evaluate f for all its inputs. We arelooking therefore for a probabilistic test.

In the original cube attack paper [3], Dinur and Shamir used the BLR test, i.e.the textbook definition of linearity: test whether f(a) +f(b) = f(a + b) +f(0).

4

If f fails this test, then it is not an affine function. If it passes the test for“sufficiently many” pairs a,b, then we conclude that f is probably affine.

Since the test above needs 3 evaluations of f for each test (assuming we storeand reuse f(0)), in [4, Section 4], Dinur and Shamir proposed the following Gen-eralised Linearity Test, which has the advantage that it reuses many evaluationsof f so it is overall much more computationally efficient.

Consider a set {b1, . . . ,bt} ⊆ Fn2 of linearly independent elements. The Gen-

eralised Linearity Test consists of the following set of 2t − t− 1 equations:{f(

t∑i=0

cibi) +

t∑i=0

cif(bi) + ((w(c)− 1)) mod 2)f(0) = 0|c ∈ Fn2 ,w(c) ≥ 2

}(1)

where w( ) denotes the Hamming weight. Again, if there are equations which arenot satisfied by f , then f is not affine, otherwise we conclude that f is probablyaffine (assuming t is “large enough”). Note that here we need 2t evaluations off for 2t − t − 1 tests, so an amortised cost of just over one evaluation per test,compared to 3 evaluations for the previous test.

Remark 1. In the original description of this test in [4] there is a mistake, inthat the term (w(c) − 1) mod 2 is missing. This would make the test incorrectwhenever the weight is odd, so affine functions with non-zero constant termwould wrongly fail the test.

2.3 Moebius Transform

Let f : Fn2 → F2. The Moebius transform of f is a function fM : Fn

2 → F2 definedas fM (y) =

∑x�y f(x) where x = (x1, . . . , xn) and the partial order relation

� is defined as (x1, . . . , xn) � (y1, . . . , yn) iff xi ≤ yi for all i = 1, . . . , n. It iswell known that the Moebius transform has the property that for any a ∈ Fn

2 ,fM (a) equals the coefficient of the term xa1

1 . . . xann in f . Further details about

the Moebius transform can be found, for example, in [8]. An efficient algorithmwhich, given the truth table of f computes the truth table of fM in-place inn2n−1 operations is also given in [8].

In connection with the cube attack, note that when choosing a set of variableindices I = {i1, . . . , ik}, if we define a as having ones in the positions in I andzeroes elsewhere, we have fI(0) = fM (a). Hence the algorithm for computingthe Moebius transform can also be used for efficiently computing fJ for all thesubsets J of a large set I.

The idea of making the cube attack more efficient by reusing computationsfor cubes which are all subcubes of a very large cube was sketched by Dinur andShamir [4]. Fouque and Vannet [6] fully developed this powerful technique viaMoebius transforms, thus obtaining results for Trivium for a larger number ofinitialisation rounds than previous cube attacks.

5

2.4 Higher order differentiation

The notion of higher order derivative (or higher order differentiation) was intro-duced in the cryptographic context by Lai [10].

Definition 1. Let f : Fn2 → F2 be a function in n variables x1, . . . , xn. Let

a = (a1, . . . , an) ∈ Fn2 \ {0}. The differentiation operator (or finite difference

operator) along a vector a associates to each function f the function ∆af (thederivative of f) defined as

∆af(x1, . . . , xn) = f(x1 + a1, . . . , xn + an) + f(x1, . . . , xn).

Denoting x = (x1, . . . , xn) we can also write ∆af(x) = f(x + a) + f(x).

Higher order differentiation (higher order derivative) refers to repeated applica-tion of this operator and will be denoted as:

∆(k)a1,...,ak

f = ∆a1∆a2 . . . ∆akf

where a1, . . . ,ak ∈ Fn2 \ {0} are linearly independent. An explicit expression for

computing higher order derivatives follows directly from the definition:

∆(k)a1,...,ak

f =∑

(c1,...,ck)∈{0,1}kf(x + c1a1 + . . .+ ckak) (2)

Differentiation decreases the degree of polynomials:

Theorem 2. [10] Let f : Fn2 → F2 and a ∈ Fn

2 \{0}. Then deg(∆af) ≤ deg(f)−1.

The main construction of the cube attack can be reformulated in terms of higherorder differentiation, see [5] and [9]. Namely for a set of indices I = {i1, . . . , ik}

fI = ∆(k)ei1

,...,eikf

where ei are the vectors of the canonical basis, i.e. they have a one in position iand zeroes elsewhere.

3 General differentiation attack

As in Subsection 2.1 we assume the cipher consists of a “black box” functiong(x,v) with g : Fn

2 × Fm2 → F2 and x denoting secret variables and v denoting

public variables. We generalise the cube/AIDA attacks by choosing an arbitrarysubspace V ⊆ Fm

2 of the space of public variables and defining a function gV as

gV (x) =∑v∈V

g(x,v).

Denote by k the dimension of V and let {v1, . . . ,vk} be a basis for V . Usingequation (2) we can give an equivalent formula for gV using higher order differ-

entiation, namely gV (x) = (∆(k)v1,...,vkg)(x,0). Note that the usual cube attack

6

becomes a particular case of this attack, for V = 〈ei1 , . . . , eik〉, where ei are thevectors of the canonical basis, and I = {i1, . . . , ik} are the positions chosen forthe usual cube attack.

Using Theorem 2 we have that deg(gV ) ≤ deg(g)− dim(V ). Hence, as in thecube attack (see Corollary 1), if the dimension of V is k = deg(g) − 1 we areguaranteed that gV is linear or constant.

We can therefore search for spaces V such that the resulting gV is a linearfunction in the secret variables. Linearity tests can detect whether the result islinear, like in the usual cube attack. This search space is a superset of the searchspace of the usual cube attack.

Moebius transform can be used here again for improved efficiency. Namely westart with a large vector space V = 〈v1, . . . ,vk〉 For any fixed value x of the secretvariables we compute the truth table of the function h(y1, . . . , yk) = g(x, y1v1 +. . . + ykvk). We then apply the Moebius transform to h. For any subspaceV ′ = 〈vi1 , . . . ,vij 〉 of V let a be the vector with ones in exactly the positionsi1, . . . , ij and zeroes elsewhere. We have hM (a) =

∑(c1,...,cj)∈{0,1}j g(x, c1vi1 +

. . .+ cjvij ) =∑

v′∈V ′ g(x,v′) = gV ′(x,0). Hence, again, the Moebius transformhM computes simultaneously all the gV ′(x,0) for all subspaces V ′ of V .

Remark 2. In [3] Dinur and Shamir also consider the possibility of setting someof the non-cube public variables to 1 rather than zero. That is not the same asour approach, as the set to sum over in that case is no longer a vector space. Wecan include that generalisation in our approach as follows. Let c be a fixed vectorof public variables and V a vector space. Instead of computing fV as before, wecan compute instead the sum ∑

v∈Vg(x, c + v)

which, using equation (2), can be proved to equal (∆(k)v1,...,vkg)(x, c). The attack

can work equally well in this scenario.

4 Proposed linearity test

We propose an alternative to the Generalised Linearity Test presented in Sub-section 2.2. Again, let f : Fn

2 → F2 and let {b1, . . . ,bt} ⊆ Fn2 be a set of t

linearly independent elements. (The question of how to choose a suitable valuefor t is, as we shall see, exactly the same as in [3], and a further discussion ofthis choice is beyond the scope of this paper.) For each d with 1 ≤ d ≤ t considerthe following set of equations:

Ld =

∑u�c

f(

t∑i=0

uibi) = 0|c ∈ Ft2,w(c) = d

(3)

where u � c means ui ≤ ci for all i = 1, . . . , t, as defined in Section 2.3. EachLd has

(td

)equations. Each equation can alternatively be written using higher

7

order derivatives:

Ld ={∆

(d)bi1

,...,bidf(0) = 0|{i1, . . . , id} ⊆ {1, . . . , t}

}.

Note that the equations in L2 correspond to the usual (BLR) linearity tests.The equations in L3 have been proposed for testing whether the function isquadratic in [4, Section 4]. The following result is quite straightforward but weprove it for completeness.

Proposition 1. If f has degree d, then it satisfies all the equations in the setsLd+1, . . . , Lt.

Proof. By Theorem 2, deg(∆(j)bi1

,...,bijf) ≤ deg(f)−j = d−j. Hence for all j > d

we have ∆(j)bi1

,...,bijf ≡ 0, so the equations Lj are satisfied for all j > d.

One can give an alternative proof of this result using the Moebius transform.

Based on the result above we propose an alternative to the Generalised LinearityTest. Namely we test whether a function f has degree one or less by testingwhether it satisfies the equations in the sets L2, . . . , Lt. An advantage of thistest is that if a function fails the test (i.e. has degree more than one), we canget, at no additional cost, an indication of its degree. Namely, if d is the highestnumber for which some equations in Ld are not satisfied, then we know thatdeg(f) ≥ d. We will estimate the degree of f as being d.

The proposed test contains the same number of equations (namely 2t− t−1)and needs the same number of evaluations of f (namely 2t) as the GeneralisedLinearity Test. If the function f is affine (has degree at most one), then it passesboth types of test, so there are no false negatives. If f has degree 2 or more itmight still pass one of the types of tests (i.e. we can have false positives). Wecan ask ourselves whether some functions can pass our proposed test but fail theGeneralised Linearity Test or vice-versa. We show that this is not possible, inother words the tests are equivalent. More precisely:

Proposition 2. A function f satisfies the Generalised Linearity Test (1) iff itsatisfies the sets of equations L2, L3, . . . Lt.

Proof. We rename y{i1,...,ij} = f(bi1 + . . .+bij). Both the Generalised LinearityTest and the set of equations L2, L3, . . . Lt can be rewritten as homogeneous sys-tems of 2t − t− 1 linear equations in the 2t unknowns yJ for all J ⊆ {1, . . . , t}.Both sets of equations are in triangular form, so both solution spaces have di-mension t+1. To prove that the two solution spaces are equal, it suffices thereforeto prove one inclusion. We show that a solution of the first set of equations isalso a solution for the second. The first system gives immediately the solution

y{i1,...,ij} =

j∑`=1

y{i`} + ((j − 1) mod 2)y∅. (4)

Consider now an equation from the second set corresponding to a vector c ofweight d ≥ 2. Let I = {i1, . . . , id} be the positions of the non-zero entries of c.

8

The equation becomes∑

J⊆I yJ = 0. Substituting the solution (4) of the firstsystem of equations in this equation we obtain an equation that only containsthe variables y{i1}, . . . , y{id} and y∅. We count how many times each of thesevariables appears: y{i1} will appear a number of times equal to the number of

subsets J of I that contain y{i1}; this is half of the subsets, i.e. 2d−1 times.The variable y∅ appears once for each subset J ⊆ I of even cardinality, i.e.∑bs/2c

`=0

(s2`

)= 2d−1 times. Hence the left hand side of the equation becomes

2d−1(y{i1}+ . . .+ y{i1}+ y∅). Since d ≥ 2 and we are in F2, we have 2d−1 = 0 sothe equation is satisfied.

Finally note that the Moebius transform can again be used for efficiency. Namelyputting h(y1, . . . , yt) = f(y1b1 + . . .+ ytbt) and computing the Moebius trans-form hM of h, the set of equations Ld are precisely the equations hM (y1, . . . , yt) =0 for all (y1, . . . , yt) of weight d. Moreover we obtain automatically the sets ofequations L1 and L0. If f satisfies L1 then f is a constant, which is another testneeded in the cube attack.

5 Implementation

We implemented our ideas and tested them on the stream cipher Trivium [1]. Thepublic variables are in this case the initialisation vector and the secret variablesare the key.

To test the cube attack over different vector spaces, as described in Sec. 3 wegenerated a large vector space V of initialisation vectors of dimension 28 givingus(28k

)subspaces of each dimension k = 0, . . . , 28. Linearity testing is performed

as described in Section 4 using a basis of 6 linearly independent keys, meaningwe evaluate at 26 keys for a total of 26 − 6− 1 evaluations. This will allow us todetect results that are constant, of estimated degree 1 to 5 or degree 6 or more.

We utilised a 64-bit parallelised implementation of Trivium in order to anal-yse 64 rounds simultaneously. The first bit of output represents round 640, withthe 64th bit of output representing round 703. This allows us to compare ourresults with the results presented by Dinur and Shamir in their original cubepaper [3] which found cubes of size 12 between 672 and 680 rounds. We alsoused parallelisation to implement the preprocessing phase of the cube attack.We utilised a multicore machine so that each core receives one of the 26 keysand runs Trivium for the given key and all the 228 initialisation vectors in thelarge vector space. Each core then applies the Moebius transform on the data itcomputed. This significantly improved the efficiency of the preprocessing phase.

The vector space V is specified by a basis of 28 vectors, and it will be helpfulto think of them as the rows of a 28 × 80 matrix A. The implementation canrun the standard cube attack, by choosing 28 variable indices i1, . . . , i28 andsetting the entries of A so that columns i1, . . . , i28 form a diagonal matrix andthe remaining columns are all zero. When running the attack on an arbitraryvector space, we again choose 28 variable indices i1, . . . , i28, set the columnsi1, . . . , i28 to form a diagonal matrix, but specify two probabilities p and q whichdefine whether the entries in the remaining 80− 28 = 52 columns set to 0 or 1.

9

We define q as the probability that a column in matrix A will follow theprobability p or be set to all zeroes. The probability p defines the probabilitythat an entry will be set to 1 in matrix A. This means that when p is set to 0,q becomes irrelevant and when q is set to 0, p becomes irrelevant. Setting eitherp or q to 0 is the equivalent of running the standard cube attack.

We run the attack where q = 1 and p = 0, 0.03, 0.5, 0.97, 1, meaning that allcolumns in the basis which don’t correspond to any of the i1, . . . , i28 indices arechosen according to the probability p (for p = 1, all the remaining 52 columnsare set to all ones in the basis). A further test is run where q = 0.0625 andp = 0.5 which generates a fairly sparse matrix A as the probability of a columnof variables being chosen using probability p is low therefore most variables areset to 0. We kept the choice of i1, . . . , i28 the same in all cases.

6 Discussion

Figs. 1 and 2 show how many subspaces of each dimension (as a percentage of allsubspaces of that dimension) were found to return constant results where q = 1and p = 0 or p = 1

Multiple lines show the results over different numbers of rounds, from 641to 703. Predictably there are fewer constant results found at smaller dimensionsas the number of rounds increases, indicating that the degree of the underlyingpolynomial is increasing.

Fig. 1. Percentage of Constant Vector Spaces where p = 0, q = 1 for selected rounds

When comparing the two figures, it is clear that constant results are foundat smaller dimensions when p = 0 compared to p = 1. There were no constantresults found for 703 rounds when p = 1 whereas constant results were found incubes as small as 19 when p = 0. This shows that changing the vector space canhave a negative effect on an attacker’s ability to find linear results.

This result is confirmed by Fig. 3 and Fig. 4, which are similar to Fig. 1 andFig. 2 but show the percentages of subspaces that produce linear (rather than

10

Fig. 2. Percentage of Constant Vector Spaces where p = 1, q = 1 for selected rounds

Fig. 3. Percentage of Linear Vector Spaces where p = 0, q = 1 for selected rounds

Fig. 4. Percentage of Linear Vector Spaces where p = 1, q = 1 for selected rounds

11

Fig. 5. Percentage of Degree 2 Vector Spaces where p = 0, q = 1 for selected rounds

Fig. 6. Percentage of Degree 2 Vector Spaces where p = 1, q = 1 for selected rounds

12

constant) results. For each of the rounds presented, the peak dimension wherelinear results are most frequent is slightly larger (by 3 to 5 units) when p = 1(Fig. 4) compared to where p = 0 (Fig. 3).

There are however some benefits to changing the vector space, as shown inFig. 7. When analysed on the same scale, we can see that a higher percentage ofsubspaces produce linear results when we increase the search space by changingthe vector space of the cube attack. Across all rounds, the test where p = 1consistently showed a 3 to 4 times higher percentage of linear results beingfound as compared to where p = 0.

Furthermore, the percentage of subspaces found at dimension 14 where p = 1in Fig. 7 is equivalent to the percentage of cubes found at cube size 12 and 13where p = 0. While again reinforcing the result that the required dimension doesincrease, this shows that it is not always of significant detriment to the attacker.

The trend of increasing the required vector space dimension continues whenwe test using a small value for q. Fig. 7 shows a large increase in the percentage oflinear cubes found when p = 0.5, q = 0.0625 compared to p = 1, q = 1 althoughthese linear results are found at a significantly higher dimension.

Fig. 7. Percentage of Linear Vector Spaces where q = 1 when p = 0 and p = 1, andq = 0.0625 when p = 0.5

When the value of p is set to a value other than 0 or 1 while q = 1, the attackbecomes significantly less effective. We tested with both very dense set of basisvectors (p = 0.97) and very sparse (p = 0.03) as well as uniform (p = 0.5) andthe results were nearly identical in all cases. Tab. 1 shows that in these casesthere were no constant, linear or degree 2 results found, as well as an insignificantnumber of degree 3 results using 641 rounds. The similar behaviour between allvalues of p in this range when q = 1 could be due to the fact that although wecontrolled the density of the basis vectors, the rest of the vectors in the spacewill have quite high density irrespective of the density of the basis vectors due

13

to the high value of q. This is in contrast to the result presented in Fig. 7 whichshowed a significant number of linear results when p = 0.5 and q is small.

Table 1. Percentage of Vector Spaces of degree 0 to 6 when 0 < p < 1 and q = 1

Degree 0 1 2 3 4 5 6

Percentage 0 0 0 < 0.001% 0.78% 49.21% 50%

The fact that for Trivium the cube attack over arbitrary vector spaces Vperforms in general worse than the usual cube attack when q is large is, onone hand, disappointing from an attacker’s point of view. However on the otherhand it offers insights into the properties of Trivium. Namely it shows thatcube attacks work for Trivium not only because the degree increases relativelyslowly through the rounds, but also because for the degree that is achieved, thedistribution of the monomials is not uniform, as would be expected for a randomfunction. This phenomenon has been observed in other contexts, for example thedensity of terms of each degree is estimated by Fouque and Vannet [6]. Anothermanifestation of this phenomenon is that out of all the linear equations thatwere found by different cube attacks on Trivium reported in the literature, thevast majority contain only one or two secret key variables, instead of around 40variables as would be expected.

An alternative way to look at this would be to create a new, enhanced “blackbox” for Trivium, which contains a multiplication of the vector of public IVvariables by an arbitrary fixed invertible matrix. The result of the multiplicationis fed into the usual Trivium black box function. It is expected that the usualcube attack on this enhanced black box would have a much reduced chance ofsuccess, as it would be, in effect, equivalent to running our generalised cubeattack on the usual Trivium black box. Obviously, the matrix needs to be secret,as otherwise the attacker could undo its effect. Preliminary tests on small cubesseem to confirm this idea, but a full investigation will be the subject of futurework.

Acknowledgements The authors would like to thank the referees for usefulcomments. One of the referees brought to our attention the recent paper [2] thatwe had not been aware of, and in which higher order derivatives with respect toan arbitrary vector space (as explored in Sec. 3) were used for statistical attackson the NORX cipher.

References

1. Christophe De Canniere. Trivium: A stream cipher construction inspired by blockcipher design principles. In Information Security, 9th International Conference, ISC2006, Samos Island, Greece, August 30 - September 2, 2006, Proceedings, pages 171–186, 2006.

2. Sourav Das, Subhamoy Maitra, and Willi Meier. Higher order differential analysisof NORX. IACR Cryptology ePrint Archive, 2015:186, 2015.

14

3. Itai Dinur and Adi Shamir. Cube attacks on tweakable black box polynomials. InEUROCRYPT, pages 278–299, 2009.

4. Itai Dinur and Adi Shamir. Applying cube attacks to stream ciphers in realisticscenarios. Cryptography and Communications, 4(3-4):217–232, 2012.

5. Ming Duan and Xuejia Lai. Higher order differential cryptanalysis framework andits applications. In International Conference on Information Science and Technology(ICIST), pages 291–297, 2011.

6. Pierre-Alain Fouque and Thomas Vannet. Improving key recovery to 784 and 799rounds of trivium using optimized cube attacks. In Fast Software Encryption - 20thInternational Workshop, FSE 2013, Singapore, March 11-13, 2013. Revised SelectedPapers, pages 502–517, 2013.

7. Pierre-Alain Fouque and Thomas Vannet. Improving key recovery to 784 and 799rounds of trivium using optimized cube attacks. IACR Cryptology ePrint Archive,2015:312, 2015.

8. Antoine Joux. Algorithmic Cryptanalysis. Chapman & Hall/CRC, 1st edition, 2009.9. S. Knellwolf and W. Meier. High order differential attacks on stream ciphers. Cryp-tography and Communications, 4(3-4):203–215, 2012.

10. Xuejia Lai. Higher order derivatives and differential cryptanalysis. In Richard E.Blahut, Daniel J. Costello, Jr., Ueli Maurer, and Thomas Mittelholzer, editors, Com-munications and Cryptography, volume 276 of The Springer International Series inEngineering and Computer Science, pages 227–233. Springer Verlag, 1994.

11. M. Vielhaber. Breaking ONE.FIVIUM by AIDA an algebraic IV differential attack.Cryptology ePrint Archive, Report 2007/413, 2007. urlhttp://eprint.iacr.org/.